Closed vargenau closed 9 months ago
I agree - the validation for the SPDX file path name is in the SPDX Java Library - so I'm transferring the issue there.
PR #196 explicitly checks for "./". Now that I think about this, perhaps it should only disallow absolute file paths - those starting with "/".
@vargenau - what do you think?
Yes, I would only forbid absolute paths, those starting with "/".
The spec says "In general, every filename is preceded with a ./", so this seem to be a recommendation, not something mandatory.
I will ask the opinion of the community in the tech mailing list.
It seems the community agrees that only paths starting with "/" should be rejected. Paths are not required to start with "./".
Thanks @vargenau for checking on this - I've updated the PR to only reject the absolute paths.
Anchore Syft tool generates the following SPDX (tag:value):
tools-python complains that it is invalid SPDX.
tools-java says that the SPDX file is valid
The SPDX spec says: "A relative filename".
So I would expect tools-java to mark the file as invalid.